From 3ab7284a6413043f5e40c592b2907954b126a661 Mon Sep 17 00:00:00 2001
From: Thomas Leonard <talex5@gmail.com>
Date: Wed, 29 May 2019 15:22:15 +0100
Subject: [PATCH] Note that mirage-firewall cannot be used as UpdateVM

Reported at: https://groups.google.com/forum/#!topic/qubes-users/YPFtbwyoUjc
---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 960e568..97b8122 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,14 @@ qvm-prefs --set my-app-vm netvm mirage-firewall
 
 Alternatively, you can configure `mirage-firewall` to be your default firewall VM.
 
+Note that by default dom0 uses sys-firewall as its "UpdateVM" (a proxy for downloading updates).
+mirage-firewall cannot be used for this, but any Linux VM should be fine.
+https://www.qubes-os.org/doc/software-update-dom0/ says:
+
+> The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and
+> there are no significant security implications in this choice. By default,
+> this role is assigned to the firewallvm.
+
 ### Components
 
 This diagram show the main components (each box corresponds to a source `.ml` file with the same name):